In a pivotal ruling, Austria’s Supreme Court has determined that Meta’s approach to personalized advertising contravenes European Union data protection laws. This decision underscores the requirement for companies to secure clear and explicit consent from users regarding the utilization of their personal data, a standard which Meta reportedly did not meet. The ruling is available in detail on JURIST.
The court’s decision dismantles Meta’s argument that targeted advertising constitutes a “contractual necessity” under the General Data Protection Regulation (GDPR). Instead, it was concluded that personalized advertisements act more as a funding method for Meta’s services rather than an essential element of social networking functionalities. As a result, Meta is now obligated to furnish plaintiff Max Schrems with a comprehensive record of all personal data processed, pinpointing data sources, usage purposes, and the recipients within 14 days.
Furthermore, the judgment contends that Meta’s current data access utilities, such as the “Download Your Information” feature, inadequately fulfill GDPR’s Article 15, as they merely produce summaries or selectively filtered data rather than full disclosures. Attempts by Meta to protect certain disclosures as trade secrets were also invalidated by the court for a lack of substantiation.
Importantly, the ruling extends to the handling of sensitive data under Article 9 of the GDPR. Meta’s processing of information related to political beliefs, health, and sexual orientation is now restricted unless explicit, informed, and voluntary consent is obtained. Despite Meta’s assertions of neither purposefully gathering such data nor possessing the technical capability to segregate it from other data types, the court’s decision imposes stringent consent requirements.
The protracted legal battle, which spanned over a decade, concluded with the court not only mandating compliance with access obligations but also affirming a symbolic award of €500 to Schrems for Meta’s delay and inadequate data provision. As reported by TechCrunch, Schrems highlighted the broader implication of the ruling, marking a critical precedent for how digital platforms must manage user data throughout the EU.
The decision also reflects on the comprehensive nature of data rights and privacy protection under the GDPR. Aiming to catalyze a reassessment of data practices by global tech giants, the Austrian court’s judgment reinforces the importance of user consent as a cornerstone of lawful data processing. Meta is now under court directive to comply with a December 31, 2025, deadline to provide full data access to Schrems, further illustrating the rigorous enforcement of GDPR standards within the European legal landscape.